VhRddlmZmZmZeZddgddZdZdZdZ dd l Z dd l Z dd l Z dd l Z dd lZdd lmZdd lmZdd lmZdd lmZmZddlmZmZdd lZdd lmcmcmcmcm Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ ddl,m-Z-ddl.m/Z/d Z0e+Z3d a4dZ5dZ6dZ7dZ8dZ9dZ:dZ;dZd#Z?d$Z@d%ZAGd&d'e%ZBy #e1$re jdZ0YbwxYw)))absolute_importdivisionprint_functionz1.1preview community)metadata_versionstatus supported_bya name: conjur_variable version_added: "1.0.2" short_description: Fetch credentials from CyberArk Conjur. author: - CyberArk BizDev (@cyberark-bizdev) description: Retrieves credentials from Conjur using the controlling host's Conjur identity, environment variables, or extra-vars. Environment variables could be CONJUR_ACCOUNT, CONJUR_APPLIANCE_URL, CONJUR_CERT_FILE, CONJUR_CERT_CONTENT, CONJUR_AUTHN_LOGIN, CONJUR_AUTHN_API_KEY, CONJUR_AUTHN_TOKEN_FILE Extra-vars could be conjur_account, conjur_appliance_url, conjur_cert_file, conjur_cert_content, conjur_authn_login, conjur_authn_api_key, conjur_authn_token_file Conjur info - U(https://www.conjur.org/). requirements: - 'The controlling host running Ansible has a Conjur identity. (More: U(https://docs.conjur.org/latest/en/Content/Get%20Started/key_concepts/machine_identity.html))' options: _terms: description: Variable path required: True validate_certs: description: Flag to control SSL certificate validation type: boolean default: True as_file: description: > Store lookup result in a temporary file and returns the file path. Thus allowing it to be consumed as an ansible file parameter (eg ansible_ssh_private_key_file). type: boolean default: False identity_file: description: Path to the Conjur identity file. The identity file follows the netrc file format convention. type: path default: /etc/conjur.identity required: False ini: - section: conjur, key: identity_file_path env: - name: CONJUR_IDENTITY_FILE config_file: description: Path to the Conjur configuration file. The configuration file is a YAML file. type: path default: /etc/conjur.conf required: False ini: - section: conjur, key: config_file_path env: - name: CONJUR_CONFIG_FILE conjur_appliance_url: description: Conjur appliance url type: string required: False ini: - section: conjur, key: appliance_url vars: - name: conjur_appliance_url env: - name: CONJUR_APPLIANCE_URL conjur_authn_login: description: Conjur authn login type: string required: False ini: - section: conjur, key: authn_login vars: - name: conjur_authn_login env: - name: CONJUR_AUTHN_LOGIN conjur_account: description: Conjur account type: string required: False ini: - section: conjur, key: account vars: - name: conjur_account env: - name: CONJUR_ACCOUNT conjur_authn_api_key: description: Conjur authn api key type: string required: False ini: - section: conjur, key: authn_api_key vars: - name: conjur_authn_api_key env: - name: CONJUR_AUTHN_API_KEY conjur_cert_file: description: Path to the Conjur cert file type: path required: False ini: - section: conjur, key: cert_file vars: - name: conjur_cert_file env: - name: CONJUR_CERT_FILE conjur_cert_content: description: Content of the Conjur cert type: string required: False ini: - section: conjur, key: cert_content vars: - name: conjur_cert_content env: - name: CONJUR_CERT_CONTENT conjur_authn_token_file: description: Path to the access token file type: path required: False ini: - section: conjur, key: authn_token_file vars: - name: conjur_authn_token_file env: - name: CONJUR_AUTHN_TOKEN_FILE z --- - hosts: localhost collections: - cyberark.conjur tasks: - name: Lookup variable in Conjur debug: msg: "{{ lookup('cyberark.conjur.conjur_variable', '/path/to/secret') }}" z: _raw: description: - Value stored in Conjur. N) b64encode)netrc)sleep)S_IRUSRS_IWUSR) gettempdirNamedTemporaryFile) AnsibleError) LookupBasequoteopen_url)Display)load_pem_x509_certificate)default_backendcd|vr!|jddj}n$d|vr |jddj}tjdd|tj}tjdd|tj}tjdd|}tj d |tj s td  t|jt|S#t$r}td t|d |d}~wtj$r}td t|d|d}~wt$r}tdt|d|d}~wwxYw)Nz   z^[ \t]+)flagsz[ \t]+$z\n+z8^-----BEGIN CERTIFICATE-----.+-----END CERTIFICATE-----$zInvalid Certificate format.z&Invalid certificate content provided: z&. Please check the certificate format.z,SSL error while validating the certificate: z.. The certificate may be corrupted or invalid.z4An error occurred while validating the certificate: z5. Please verify the certificate format and try again.)replacestripresubMmatchDOTALLrrencoder ValueErrorstrsslSSLError Exception) cert_contenterrs r/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/cyberark/conjur/plugins/lookup/conjur_variable.py_validate_pem_certificater0ss #++FD9??A  #++D$7==? 66*b,bddCL66*b,bddCL66&$ 5L 88OQ]_a_h_h i899!,"5"5"79JK 4SXJ?3 3   <<:3s8*E; ;   B3s8*MB B  s0 #D E? D&&E?<E E?!E::E?c @|r# tjdt|}|S|rqt jj|std|d t|d5}|jjd}t|}|cdddStd #t$r,}tj dt |dYd}~d}~wwxYw#1swYnxYw td #t$r }td|d t ||d}~wwxYw) Nz'Validating provided certificate contentzInvalid certificate content: z%. Attempting to use certificate file.zCertificate file `z$` does not exist or cannot be found.rbutf-8z-Failed to load or validate certificate file ``: ziBoth certificate content and certificate file are invalid or missing. Please provide a valid certificate.) displayvvvr0rwarningr)ospathexistsopenreaddecoder,)r- cert_filer.filecert_file_contents r/_get_valid_certificaterAsC m KKA B4\BL  ww~~i(!3I;>bcd d ri& )$$(IIK$6$6w$?!$=>O$P!( ) ) C DD! m OO;CH:Ejk l l m ) ) ) C DD  r!NykY\]`ad]e\fghnq q rsG!B$ C4#,C C4$ C-"CCC%!C44 D=DDct||}|rJ tdddatj|tj tj }|S|S#t $r}tdt||d}~wwxYw)NFwr3)deletemodeencodingz-Failed to create temporary certificate file: ) rArTEMP_CERT_FILEwriteclosenamer,rr))r-r>r.s r/_get_certificate_filerKs), BL d/u3QXYN   .  "&++I 9 d!NsSVxjYZ`c c dsAA B$A<<Bc4tjd|tjj |siStj d|t |d5}tj|j}|cdddS#1swYyxYw)Nz conf file: zLoading configuration from: r3)rF) r5r6r8r9r:vvvvr;yaml safe_loadr<) conf_pathr?configs r/_load_conf_from_filerRsx KK+i[)* 77>>) $  LL/ {;< i' *d ,s %BBcHtjd|tjj |siStjd|d||d}t |}|j |td||j |\}}}|r|siS||dS)Nzidentity file: zLoading identity from: z for z/authnzFThe netrc file on the controlling host does not contain an entry for: idapi_key)r5rMr8r9r:r authenticatorsr) identity_path appliance_urlconjur_authn_urlidentityhost_idunusedrVs r/_load_identity_from_filer^s LL?=/23 77>>- (  LL*=/}oNO'/]#H/08cdtcuvww'667GHGVW ' g ..c:i}|D]}|j||SN)update)argretitems r/_merge_dictionariesrf-s' C 4 Jr_ct|dS)Nr)safer) input_strs r/ _encode_strrj9s  $$r_c|d|dt|d}tjd|dt|t||d||}|j }|dk7rt d |d |d |j S) Nz/authn//z /authenticatez%Authentication request to Conjur at: z , with user: POST)datamethodvalidate_certsca_pathzFailed to authenticate as 'z' (got z response))rjr5rMrgetcoderr<) conjur_urlaccountusernamerVrpr>responsecodes r/_fetch_conjur_tokenry>s.parameters_wrapper..decoratorWsKq  H#)4#:6#:L''#--?"g-! II=>>~~H"g-! IIFGGHn%s BA  BBB)rrrrs` r/parameters_wrapperz!retry..parameters_wrapperVs & r_r)rrrs`` r/retryrNs$ r_ )rrc"t|||||S)Nheadersrorprqr)urlrrorprqs r/_repeat_open_urlrks C#!#1#  %%r_ct|}dd|jddi}|d|dt|}tj d|t ||d|| }|j d k(r;tj d |d |jjd} | gS|j d k(r td|j dk(rtd||j dk(rtd|diS)N Authorizationz Token token="r3"z /secrets/z /variable/zConjur Variable URL: GETrrrzConjur variable z was successfully retrievediz4Conjur request has invalid authorization credentialsizOThe controlling host's Conjur identity does not have authorization to retrieve iz The variable z does not exist) r r=rjr5rMrrsr<r) conjur_variabletokenrtrurpr>rrrwvalues r/_fetch_conjur_variablerus- e E- W0E/Fa HIG L '*[5Q4R SC LL(./(/',/=(1 3H S  ''88STU &&w/wS QRRS mn}m~A AS ]?*;?KLL Ir_c`tjdtjrytS)Nz/dev/shm)r8accessW_OKrrr_r/_default_tmp_pathrs yyRWW% <r_ctdtd}tj|jt t z|j|d|jgS)NrCF)rEdirrDr)rrr8chmodrJrrrH)r secrets_files r/_store_secret_in_filersO%34E4GPUVLHH\  ' 12uQx    r_ceZdZddZdZy) LookupModuleNc |gk(r td|dr|djr td|j|||jd}|jd}|jd}|jd}|jd }|jd } |jd } |j d } |j d } |j d} | durt j ddt|vr td| dur t| |}tt| ||||dni|d|ini| d| ini}d|vsd|vr tdd|vrF|j d}tt||d||||dni}d|vsd|vr tdd}d|vr t jd|d|d} d}d|vrt|d|dd|d| |}n\tjj!|dstd |dd!t#|dd"5}|j%}dddt'|d||d|d| |}t(rQ tjj!t(j*r#tj,t(j*| r t3|S|S#1swYxYw#t.t0f$r.}td#t(j*d$t||d}~wwxYw#t(r tjj!t(j*r$tj,t(j*ww#t.t0f$r.}td#t(j*d$t||d}~wwxYwwxYw)%Nz-Invalid secret path: no secret path provided.rz4Invalid secret path: empty secret path not accepted.) var_optionsdirectconjur_appliance_urlconjur_accountconjur_authn_loginconjur_authn_api_keyconjur_cert_fileconjur_cert_contentconjur_authn_token_filerp config_fileas_fileFzSCertificate validation has been disabled. Please enable with validate_certs option.zhttp://zL[WARNING]: Conjur URL uses insecure connection. Please consider using HTTPS.T)rurYr>authn_token_filerurYaConfiguration must define options `conjur_account` and `conjur_appliance_url`. This config can be set by any of the following methods, listed in order of priority: - Ansible variables of the same name, set either in the parent playbook or passed to the ansible-playbook command with the --extra-vars flag - Environment variables `CONJUR_ACCOUNT` and `CONJUR_APPLIANCE_URL` - A configuration file on the controlling host with fields `account` and `appliance_url` identity_filerTrUrVa4Configuration must define options `conjur_authn_login` and `conjur_authn_api_key`. This config can be set by any of the following methods, listed in order of priority: - Ansible variables of the same name, set either in the parent playbook or passed to the ansible-playbook command with the --extra-vars flag - Environment variables `CONJUR_AUTHN_LOGIN` and `CONJUR_AUTHN_API_KEY` - An identity file on the controlling host with the fields `login` and `password`zUsing cert file path zConjur authn token file `z` was not found on the hostr2z-Failed to delete temporary certificate file `r4)risspace set_options get_var_value get_optionr5r7r)rKrfrRr^r6ryr8r9r:r;r<rrGrJunlinkOSErrorPermissionErrorr)selfterms variablesrrYru authn_login authn_api_keyr>r-rrp conf_filerconfrr[rr?rr.s r/runzLookupModule.runsS B;NO OQx58++-UV V Yv>**+AB $$%56(()=> **+AB &&'9: ))*?@ --.GH)9:OOM2 //), U " OOq r M* * np p T !-lIFI"  + #!- #!. 'Y "-#$4 # ( D O4$?l  T ) OOO?&)B4HZC[B\\w'xyy$12D9(T IIKE(5a_%Y ODww~~n&9&9: ."5"56 (9 9-((  1D&)VWeWjWjVkknorsvownx'yzADDD Dww~~n&9&9: ."5"56;1D&)VWeWjWjVkknorsvownx'yzADDD sc"A&L,K !L,AK, K)%L,,L);)L$$L),O4ANOO)N>>OOcj |j|}|S#t$r}t|d|d}~wwxYw)Nz! was not defined in configuration)rKeyErrorr)rkeyvariable_valuer.s r/rzLookupModule.get_var_value'sG S!__S1N S#&GHIs R Ss 2-2ra)__name__ __module__ __qualname__rrrr_r/rrsDLr_r)NNTN)C __future__rrrtype __metaclass__ANSIBLE_METADATA DOCUMENTATIONEXAMPLESRETURNr8r tracebackr*r"base64r r timer statrrtempfilerrrN+ansible.module_utils.six.moves.urllib.error module_utilssixmovesurlliberrorr~ansible.errorsransible.plugins.lookupr+ansible.module_utils.six.moves.urllib.parseransible.module_utils.urlsransible.utils.displayrcryptography.x509rcryptography.hazmat.backendsrCRYPTOGRAPHY_IMPORT_ERROR ImportError format_excr5rGr0rArKrRr^rfrjryrrrrrrrr_r/rs!CB (-(k$/1@ D     !3 BBB'-=.)%;<!% )BD2 " /0%  :q$%%%6N:NY7 4 4 4 67s CC65C6